LTIMindtree prevents security breaches with Microsoft Defender Experts for Hunting

State-of-the-art security

Global technology consulting and digital solutions company LTIMindtree supports more than 700 customers, ranging in size and industry from small or medium-sized manufacturing customers to technology giants. The 30-person SOC (security operations center) team oversees the entire cybersecurity operations with state-of-the-art technologies based on artificial intelligence, machine learning, and integrated threat intelligence. The team is predominantly responsible for monitoring security alerts and threats from different interfaces, so they can further determine if these are legitimate or false positive alerts and consult with subject matter experts. With diligent and continuous monitoring integrated with threat intelligence, the SOC team keeps businesses, networks, data, and customers safe from cyberattacks and data breaches.

Mergers and manual processes

Before November 2022, LTIMindtree was divided into two separate companies. When the merger happened, it resulted in a mix of Microsoft and non-Microsoft Security solutions, and three separate tenants for the organization (the original two companies’ tenants and a third for the new merger). This made hunting threats slightly complicated among three different interfaces, two different solutions, and multiple OEMs and vendors.

“We had some challenges when it came to threat hunting aggregation and getting meaningful outcomes from those correlations,” says Chandan Pani, Chief Information Security Officer at LTIMindtree. Different systems produced different results and OEMs were all speaking different “languages.” “We had to process many things manually to figure out whether signals were false positives or alerts that we should be worried about,” says Pani. Some events were easier to process, taking less than a couple of hours, but when different systems, assets, and users needed to be consulted and traced, this process took way longer. “It could take more than six or seven hours, and holding on to events for a couple of hours is not good for anyone,” says Pani.

Given the time-consuming and specialized nature of threat hunting, LTIMindtree searched for a solution that could save time, effort, and lessen the bandwidth of the SOC team. The solution would also need to support employees engaging with the OEM directly and on-demand. “It’s already very complex to have a threat hunting process within an organization,” said Pani. “Now in today's environment where attack vectors and complexities are increasing every day, it is going to be very tedious for any organization to have a bunch of folks who can work day in, day out on this kind of cutting-edge technology. So, it’s better to hand it over to somebody who already has the expertise and can do it better than the team on the ground.”

A unified view of the environment

“From the get-go, we wanted to use Microsoft because we always believed in a platform story. We wanted a platform with homogeneous and symmetric solutions that talk to each other and a team who could give us meaningful information,” says Pani. The company had already started with Microsoft 365 Defender, which automatically collects, correlates, and analyzes signal, threat, and alert data from across Microsoft 365 environments, including endpoints, emails, applications, and identities. Microsoft 365 Defender leverages AI and automation to automatically stop attacks and remediate affected assets in a safe state. Using Microsoft 365 Defender, the SOC team monitors these alerts in the SIEM console. With Microsoft Defender Experts for Hunting integrated with Microsoft Security solutions, LTIMindtree gained a unified view of its environment, aiding effective threat tracking. The service is also staffed with full-time expert analysts from Microsoft who are familiar with the Microsoft ecosystem, offering tailored and proactive threat hunting within the environment.

LTIMindtree implemented Microsoft Defender Experts for Hunting across all three tenants seamlessly. “Managed threat hunting services detect and address security threats before they become major incidents, reducing potential damage,” says Pani. “By implementing this, we enhance our cybersecurity posture by having experts who continuously look for hidden threats, ensuring the safety of our data, reputation, and customer trust.” The SOC team receives Defender Expert alerts with special tag names that provide deep context about the threat, attack flow, and advanced hunting queries for surfacing threat activities.

Since implementing Microsoft Defender Experts for Hunting, LTIMindtree has received at least six Defender Experts Notifications that would otherwise have been missed, which were critical for taking remediation action at the initial stages and protecting the company from an escalated threat. In addition, with the Experts on Demand capability, the SOC team has the flexibility to determine how they solve queries. They can either solve internally or engage with a Microsoft expert to get more context on a particular threat or incident.

Better correlation, better automation

Now, in complex attack scenarios where attackers are using new tools, technologies, and procedures that are unknown or unclear to the SOC team, Microsoft can help them figure out if something significant is happening and whether the team should act on it. “The correlation is more automatic and more on the platform,” says Pani. “The signals that we are getting are more meaningful and validated by a bunch of experts.”

The SOC team gains an additional layer of support for complex hunting scenarios, low-fidelity signals, and situations where someone misses a signal from a tenant. This support from Microsoft Defender Experts for Hunting has improved the overall efficiency of the SOC team, prevented security breaches, and given the team time to swiftly handle other SIEM alerts and improve the average incident response times for customers. Additionally, the team has a better understanding of the attack flows, the scope of threats, and timeline correlations. 

“The kind of on-demand support provided to us from the team on the ground from the Microsoft side makes it very simple for us to troubleshoot,” says Pani. The Microsoft platform and solution team has helped improved efficiencies in time to respond and the complexity of the attack. Pani adds, “Microsoft Defender Experts for Hunting makes things a lot simpler for the folks on the ground. It’s also offered great reassurance to customers who want to know how secure the company is, especially with one of the world’s largest software organizations there to support us.”

Democratizing security expertise

The migration as a result of the merger is 60 to 70 percent done, and LTIMindtree is working with Microsoft very closely to ensure that the Mailbox and OneDrive migrations go smoothly. Microsoft Security Copilot is planned to be the nerve center for all Microsoft Security solutions at LTIMindtree. “Copilot can democratize security to the end user. It is no longer just with the subject matter expert. The average analyst training time used to be a couple of months, and that can reduce drastically if you’re using Copilot,” says Pani. The combination of human-led managed services and generative AI will give the SOC team the best of both worlds: improved SOC capacity and posture, while strengthening overall expertise.

Overall, the SOC team is more flexible and efficient. LTIMindtree looks forward to continued collaboration and support from Microsoft and Microsoft Defender Experts for Hunting. “We have seen Microsoft Defender Experts for Hunting maturing, and we have seen experts helping us a lot more than before,” says Pani. “So, I’m sure a lot of good things are there in the pipeline.” 

Find out more about LTIMindtree on X, Facebook, and LinkedIn.